-
90d808ed
by Miroslav Lichvar at 2025-07-30T14:46:59+02:00
client: mitigate unsafe permissions change on chronyc socket
When chronyc running under root binds its Unix domain socket, it needs
to change the socket permissions in order for chronyd running without
root privileges to be able to send a response to the socket.
There is a race condition between the bind() and chmod() calls. If an
attacker was able to execute arbitrary code in the chronyd process, it
might be able to wait for chronyc to be executed under root, replace the
socket with a symlink between the two calls, and cause the privileged
chronyc process to change permissions of something else, possibly
leading to a privilege escalation.
There doesn't seem to be a safe and portable way to change the socket
permissions directly. Changing the process umask could be problematic in
future with threads.
Hide the socket in two levels of subdirectories (the lower one having
a randomly generated name and not visible to the chronyd process) to
make the socket path unpredictable, and force the bind() or chmod() call
to fail if the visible upper directory is replaced.
Reported-by: Matthias Gerstner <mgerstner@xxxxxxx>
-
54010586
by Miroslav Lichvar at 2025-07-30T14:46:59+02:00
socket: remove unused chmod() call
Drop the SCK_FLAG_ALL_PERMISSIONS support from the socket code.
chronyc is now calling chmod() on its socket itself in a hidden
directory to mitigate the unsafe operation.
-
9eaf8bc5
by Miroslav Lichvar at 2025-07-30T14:46:59+02:00
socket: rename sun variable to fix compilation on illumos
"sun" is reserved on Solaris/illumos.
Fixes: 3dea7dd72373 ("socket: rework setting of struct sockaddr_un")
-
5e2cd47a
by Miroslav Lichvar at 2025-07-30T14:57:01+02:00
test: fix system tests to change also tempcomp owner